Limit permissions needed by the service principal to run actions

github-action/README.md

@@ -34,7 +34,7 @@ jobs:
         creds: ${{ secrets.AZURE_CREDENTIALS }}
 
     - name: 'Sync the NGINX configuration from the GitHub repository to the NGINXaaS for Azure deployment'
-      uses: nginxinc/nginx-for-azure-deploy-action/[email protected].0
+      uses: nginxinc/nginx-for-azure-deploy-action/[email protected].1
       with:
         subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
         resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}
@@ -77,7 +77,7 @@ jobs:
         subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
     - name: 'Sync the NGINX configuration from the GitHub repository to the NGINXaaS for Azure deployment'
-      uses: nginxinc/nginx-for-azure-deploy-action/[email protected].0
+      uses: nginxinc/nginx-for-azure-deploy-action/[email protected].1
       with:
         subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
         resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}
@@ -106,7 +106,7 @@ To use this action to sync the configuration files from this example, the direct
 
 ```yaml
     - name: 'Sync the NGINX configuration from the GitHub repository to the NGINXaaS for Azure deployment'
-      uses: nginxinc/nginx-for-azure-deploy-action/[email protected].0
+      uses: nginxinc/nginx-for-azure-deploy-action/[email protected].1
       with:
         subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
         resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}
@@ -139,7 +139,7 @@ The action supports an optional input `transformed-nginx-config-directory-path`
 
 ```yaml
     - name: 'Sync the NGINX configuration from the Git repository to the NGINXaaS for Azure deployment'
-      uses: nginxinc/nginx-for-azure-deploy-action/[email protected].0
+      uses: nginxinc/nginx-for-azure-deploy-action/[email protected].1
       with:
         subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
         resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}
@@ -172,7 +172,7 @@ See the example below
 
 ```yaml
 - name: "Sync NGINX certificates to NGINXaaS for Azure"
-        uses: nginxinc/nginx-for-azure-deploy-action/[email protected].0
+        uses: nginxinc/nginx-for-azure-deploy-action/[email protected].1
         with:
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}
@@ -186,7 +186,7 @@ See the example below
 
 ```yaml
  - name: "Sync NGINX configuration- multi file and certificate to NGINXaaS for Azure"
-        uses: nginxinc/nginx-for-azure-deploy-action/[email protected].0
+        uses: nginxinc/nginx-for-azure-deploy-action/[email protected].1
         with:
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}

github-action/action.yml

@@ -10,10 +10,6 @@ inputs:
   nginx-deployment-name:
     description: "The name of the NGINXaaS for Azure deployment."
     required: true
-  nginx-deployment-location:
-    description: "The location where the NGINX deployment is located. Example westcentralus"
-    required: false
-    deprecationMessage: "This field is not in use and will be removed in a future release. Consider dropping it from your Github Action configuration."
   nginx-config-directory-path:
     description: 'The NGINX configuration directory path relative to the root of the Git repository, example: "config/".'
     required: false
@@ -40,8 +36,8 @@ runs:
   using: "composite"
   steps:
     - name: "Synchronize NGINX certificate(s) from the Git repository to an NGINXaaS for Azure deployment"
-      run: ${{github.action_path}}/src/deploy-certificate.sh --subscription_id=${{ inputs.subscription-id }} --resource_group_name=${{ inputs.resource-group-name }} --nginx_deployment_name=${{ inputs.nginx-deployment-name }} --nginx_resource_location=${{ inputs.nginx-deployment-location }}  --certificates=${{ toJSON(inputs.nginx-certificates) }} --debug=${{ inputs.debug }}
-      if: ${{ inputs.nginx-deployment-location != '' && inputs.nginx-certificates != '' }}
+      run: ${{github.action_path}}/src/deploy-certificate.sh --subscription_id=${{ inputs.subscription-id }} --resource_group_name=${{ inputs.resource-group-name }} --nginx_deployment_name=${{ inputs.nginx-deployment-name }} --certificates=${{ toJSON(inputs.nginx-certificates) }} --debug=${{ inputs.debug }}
+      if: ${{ inputs.nginx-certificates != '' }}
       shell: bash
     - name: "Synchronize NGINX configuration from the Git repository to an NGINXaaS for Azure deployment"
       run: ${{github.action_path}}/src/deploy-config.sh --subscription_id=${{ inputs.subscription-id }} --resource_group_name=${{ inputs.resource-group-name }} --nginx_deployment_name=${{ inputs.nginx-deployment-name }} --config_dir_path=${{ inputs.nginx-config-directory-path }} --root_config_file=${{ inputs.nginx-root-config-file }} --transformed_config_dir_path=${{ inputs.transformed-nginx-config-directory-path }} --debug=${{ inputs.debug }}

github-action/src/deploy-certificate.sh

@@ -17,10 +17,6 @@ case $i in
     nginx_deployment_name="${i#*=}"
     shift
     ;;
-    --nginx_resource_location=*)
-    nginx_resource_location="${i#*=}"
-    shift
-    ;;
     --certificates=*)
     certificates="${i#*=}"
     shift
@@ -51,26 +47,12 @@ then
     echo "Please set 'nginx-deployment-name' ..."
     exit 1
 fi
-if [[ ! -v nginx_resource_location ]];
-then
-    echo "Please set 'nginx-resource-location' ..."
-    exit 1
-fi
 if [[ ! -v certificates ]];
 then
     echo "Please set 'nginx-certificates' ..."
     exit 1
 fi
 
-arm_template_file="nginx-for-azure-certificate-template.json"
-
-#get the ARM template file
-wget -O "$arm_template_file" https://raw.githubusercontent.com/nginxinc/nginx-for-azure-deploy-action/a69d33feaa1a8a012ec44c138ca78c6ec4db9f29/src/nginx-for-azure-certificate-template.json
-echo "Downloaded the ARM template for synchronizing NGINX certificate."
-
-cat "$arm_template_file"
-echo ""
-
 az account set -s "$subscription_id" --verbose
 
 count=$(echo "$certificates" | jq '. | length')
@@ -104,41 +86,33 @@ do
         do_nginx_arm_deployment=0
     fi
 
-    uuid="$(cat /proc/sys/kernel/random/uuid)"
-    template_file="template-$uuid.json"
-    template_deployment_name="${nginx_deployment_name:0:20}-$uuid"
-
-    cp "$arm_template_file" "$template_file"
-
     echo "Synchronizing NGINX certificate"
     echo "Subscription ID: $subscription_id"
     echo "Resource group name: $resource_group_name"
     echo "NGINXaaS for Azure deployment name: $nginx_deployment_name"
-    echo "NGINXaaS for Azure Location: $nginx_resource_location"
-    echo "ARM template deployment name: $template_deployment_name"
     echo ""
     echo "NGINXaaS for Azure cert name: $nginx_cert_name"
     echo "NGINXaaS for Azure cert file location: $nginx_cert_file"
     echo "NGINXaaS for Azure key file location: $nginx_key_file"
     echo ""
 
+    echo "Installing the az nginx extension if not already installed."
+    az extension add --name nginx --allow-preview true
+
     if [ $do_nginx_arm_deployment -eq 1 ]
     then
         az_cmd=(
             "az"
+            "nginx"
             "deployment"
-            "group"
+            "certificate"
             "create"
-            "--name" "$template_deployment_name"
             "--resource-group" "$resource_group_name"
-            "--template-file" "$template_file"
-            "--parameters"
-            "name=$nginx_cert_name"
-            "location=$nginx_resource_location"
-            "nginxDeploymentName=$nginx_deployment_name"
-            "certificateVirtualPath=$nginx_cert_file"
-            "keyVirtualPath=$nginx_key_file"
-            "keyVaultSecretID=$keyvault_secret"
+            "--certificate-name" "$nginx_cert_name"
+            "--deployment-name" "$nginx_deployment_name"
+            "--certificate-path" "$nginx_cert_file"
+            "--key-path" "$nginx_key_file"
+            "--key-vault-secret-id" "$keyvault_secret"
             "--verbose"
         )
         if [[ "$debug" == true ]]; then

github-action/src/deploy-config.sh

@@ -132,7 +132,7 @@ echo "Successfully created the tarball from the NGINX configuration directory."
 echo "Listing the NGINX configuration file paths in the tarball."
 tar -tf "$config_tarball"
 
-encoded_config_tarball=$(base64 "$config_tarball")
+encoded_config_tarball=$(base64 "$config_tarball" -w 0)
 
 if [[ "$debug" == true ]]; then
     echo "The base64 encoded NGINX configuration tarball"
@@ -142,36 +142,28 @@ echo ""
 
 # Synchronize the NGINX configuration tarball to the NGINXaaS for Azure deployment.
 
-uuid="$(cat /proc/sys/kernel/random/uuid)"
-template_file="template-$uuid.json"
-template_deployment_name="${nginx_deployment_name:0:20}-$uuid"
-
-wget -O "$template_file" https://raw.githubusercontent.com/nginxinc/nginx-for-azure-deploy-action/487d1394d6115d4f42ece6200cbd20859595557d/src/nginx-for-azure-configuration-template.json
-echo "Downloaded the ARM template for synchronizing NGINX configuration."
-cat "$template_file"
-echo ""
-
 echo "Synchronizing NGINX configuration"
 echo "Subscription ID: $subscription_id"
 echo "Resource group name: $resource_group_name"
 echo "NGINXaaS for Azure deployment name: $nginx_deployment_name"
-echo "ARM template deployment name: $template_deployment_name"
 echo ""
 
 az account set -s "$subscription_id" --verbose
 
+echo "Installing the az nginx extension if not already installed."
+az extension add --name nginx --allow-preview true
+
 az_cmd=(
     "az"
+    "nginx"
     "deployment"
-    "group"
-    "create"
-    "--name" "$template_deployment_name"
+    "configuration"
+    "update"
+    "--name" "default"
+    "--deployment-name" "$nginx_deployment_name"
     "--resource-group" "$resource_group_name"
-    "--template-file" "$template_file"
-    "--parameters"
-    "nginxDeploymentName=$nginx_deployment_name"
-    "rootFile=$transformed_root_config_file_path"
-    "tarball=$encoded_config_tarball"
+    "--root-file" "$transformed_root_config_file_path"
+    "--package" "data=$encoded_config_tarball"
     "--verbose"
 )